OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: Xelas on August 26, 2020, 09:38:39 am
-
LAN is: 172.16.1.1/24
pihole is at 172.16.1.5
opnsense unbound is obviously at 172.16.1.1
I'm trying to redirect all DNS traffic to the pihole. pihole should then go to 172.16.1.1 (to allow local dns resolution to work) then the router goes out to 8.8.8.8 or whatever.
First, I created a "quick" rule to allow the pihole to query the router (and only it should be allowed to query the router) and it's sitting as the first rule
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: 172.16.1.5/32
Source port range: DNS
Destination / Invert: unchecked
Destination: This Firewall
Destination Port: DNS
Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable
This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.
What am I missing?
-
What am I missing?
Knowledge?
;D I would say that you need a block/reject rule for DNS ports to all destinations except 172.16.1.5
-
What am I missing?
Knowledge?
;D I would say that you need a block/reject rule for DNS ports to all destinations except 172.16.1.5
no, because its blocked by default.
@Xelas, you need a source nat rule too, otherwise your "routing" will be asynchronous. Just rewrite to the opnsense internal ip and you should be fine. You also need to take care that the actual dns (pihole) should still be able to access everything via udp/53
-
What am I missing?
;D I would say that you need a block/reject rule for DNS ports to all destinations except 172.16.1.5
no, because its blocked by default.
Lol, dumbest reply I've read today. ::)::)::)
Do you have secret access to his firewall rules @nines ? Or are you just making dumb assumptions?
Obviously he has something that allows outbound external DNS otherwise he would not be writing:
This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.
-
@sorano please try to keep this civilised, not everybody has the same background, we welcome everybody to join a discussion as long as people are treated respectfully.
-
LAN is: 172.16.1.1/24
pihole is at 172.16.1.5
opnsense unbound is obviously at 172.16.1.1
I'm trying to redirect all DNS traffic to the pihole. pihole should then go to 172.16.1.1 (to allow local dns resolution to work) then the router goes out to 8.8.8.8 or whatever.
Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable
This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.
What am I missing?
Source port should be ANY, not DNS (destination is DNS). You'll also need a second rule for ipv6 if you're using ipv6. For ipv6, use the link-local address on the pihole as that won't change. Not sure you need that first rule.
EDIT: did you include pihole's ip address in your DHCP settings so hosts know where to go?
-
I did not test this, but this thread might be related:
HOWTO - Redirect all DNS Requests to Opnsense
https://forum.opnsense.org/index.php?topic=9245.0
-
This guy’s guide worked for me and several others I believe.
https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/
Cheers,
-
Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable
I think for SOURCE you would want LAN NET not LAN Address. But I find that if you do that then the PiHOLE itself will be included in the Port Forward and cause DNS to fail. So I used the Invert feature and setup my Port Forward like this
INT PROTO SOURCE PORT DESTINATION PORT NAT IP NAT PORT
LAN TCP/UDP !172.16.1.5 ANY !172.16.1.5 53(DNS) 172.16.1.5 53(DNS)
-
This guy’s guide worked for me and several others I believe.
https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/
Cheers,
To be clear, and did not note this in my OP, I am publishing the pihole's IP as the DNS address in DHCP. Well-behaved clients that respect DHCP go to the pihole. I looked at the logs and found that some devices were ignoring that and using their own DNS anyway, so what I'm trying to do is to intercept those DNS requests and route them through the pihole. I completely understand that this is futile as a security measure - I'm interested in:
1) tracking which devices are doing this
2) whacking a few more ads out of the way
-
...
Source port should be ANY, not DNS (destination is DNS). You'll also need a second rule for ipv6 if you're using ipv6. For ipv6, use the link-local address on the pihole as that won't change. Not sure you need that first rule.
Why would the source port be "any"? Won't that have the effect of routing all traffic on all ports to the pihole on port 53?
Frontier FIOS doesn't have IPV6, so I'm not worrying about that yet. I have IPV6 turned off for now.
-
Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable
I think for SOURCE you would want LAN NET not LAN Address. But I find that if you do that then the PiHOLE itself will be included in the Port Forward and cause DNS to fail. So I used the Invert feature and setup my Port Forward like this
INT PROTO SOURCE PORT DESTINATION PORT NAT IP NAT PORT
LAN TCP/UDP !172.16.1.5 ANY !172.16.1.5 53(DNS) 172.16.1.5 53(DNS)
That rule makes a ton of sense, thank you! It also looks like it eliminates needing to have another rule ahead of it to handle the pihole as a special case, so it kills 2 birds with 2 stone. Elegant.
I'll give this a shot tonight or tomorrow night after my family shuts down. Don't want to clobber precious Netflix time :-)
-
That rule makes a ton of sense, thank you! It also looks like it eliminates needing to have another rule ahead of it to handle the pihole as a special case, so it kills 2 birds with 2 stone. Elegant.
I'll give this a shot tonight or tomorrow night after my family shuts down. Don't want to clobber precious Netflix time :-)
Was playing around with this some more tonight thanks to your post and I was still locking myself out of DNS if I attempted to use an External DNS like 8.8.8.8. Not sure if this applies to your setup but it seems to require some extra configuration for mine because I'm using Unbound with DNS over TLS as the Upstream Server to the PiHOLE. Anyway, truly figured it out now,
1. Go to Firewall/Settings/Advanced: Enable Automatic outbound NAT for Reflection
2. Go to Firewall/NAT/Port Forward and setup rule like below.
INT PROTO SOURCE PORT DESTINATION PORT NAT IP NAT PORT
<-> LAN TCP/UDP ANY ANY !LAN ADDRESS 53(DNS) (PIHOLE IP) 53(DNS)
172.16.1.5
Be sure to create the Associated Filter Rule with the above Port Forward and place it at the top of your LAN Rules.
3. Go to Firewall/Rules/LAN and create a firewall rule to PASS from your PiHole to the LAN ADDRESS on port 53 and place it below the above Associated Filter Rule.
PROTO SOURCE PORT DESTINATION PORT
> TCP/UDP PIHOLE IP ANY LAN ADDRESS 53(DNS)
4. Create a BLOCK rule now for External DNS after the above rule. If the Port Forward is working, this rule should never hit so enable logging on it so you can see if there are issues.
PROTO SOURCE PORT DESTINATION PORT
X TCP/UDP ANY ANY ANY 53(DNS)
Hope this helps you and/or anyone else using PiHOLE with Unbound DNS over TLS.
-
Goodmorning everybody,
I'm also interested in how to configure Opnsense/Pi-Hole in the best way for home network. I've tried to configure it but I have a lot of PTR request in Pi-hole interface that is not resolving names...
Thank you so much!
-
I have actually tinkered with this myself recently, and ultimately implemented the following, which turns out to be working very well.
My objective was also to catch and redirect all DNS queries towards pi-hole, which in return uses OPNsense as Unbound DNS resolver.
Course of action:
First, I created a new VLAN dedicated for my pi-hole. This is not required, but I decided to do so because of security considerations. The VLAN is firewalled, is not allowed to pass traffic to any other VLAN, and is only allowed to use TCP/UDP 53 outbound to ANY (as I am querying the root servers directly using Unbound) for DNS, and using HTTP/HTTPS to connect to the internet, to fetch updates.
Then I installed pi-hole, and selected the interface IP of the pi-hole VLAN as upstream DNS server.
That way, pi-hole will filter ads, but uses Unbound on OPNsense to do the actual lookup.
You could also install Unbound on the pi-hole itself and offload everything there, but I decided not to do so.
I then fine-tuned everything to my needs (blocklists, black/whitelisting, etc.), and considered that part done.
Next, I wanted to be sure that all DNS queries are sent to the pi-hole, for my VLANs I have setup.
For that, I used a NAT Port Forward rule, which is configured as follows: https://imgur.com/NzJUFPG
Details of this rule are:
- Interface - select your required interfaces to which this rule applies
- TCP/IP version - IPv4
- Protocol - TCP/UDP
- Source - do not select
- Destination/Invert - do not check
- Destination - Any
- Destination port range - DNS
- Redirect target IP - Your pi-hole IP address (I created an alias for it)
- Redirect target port - DNS
- Pool Options: Default
- Description - Redirect and pass DNS
- NAT reflection - Disable
- Filter rule association - Pass (I decided to choose pass, as this will reduce the amount of separate pass rules you need to create per interface)
I have also created an identical second rule, that is disabled, with the only difference that it contains the local loopback (127.0.0.1) address as Redirect Target IP, which is the firewall itself. This is a method of last resort, in case the pi-hole breaks down, or is unavailable for whatever reason.
I simply switch on this NAT rule and disable the other one, and remain up and running.
You need to be aware though that in case this is applied, advertisements are no longer blocked, unless you utilize the Unbound built-in blacklisting capabilities (Services > Unbound DNS > Blacklist). For peace of mind you could simply enable a fallback blacklist there, but I didn't care at this point in time. Perhaps some point of improvement towards the future :).
Last, but not least, let's test this out in practice, by going to https://dnsleaktest.com/. If all goes well, and you have applied the setup like I have depicted, you will see the WAN IP of your ISP there. If you have selected different DNS upstream servers, you will see these appearing here. Simply change the DNS server on one of your LAN devices, and run the test again to see if the redirection works.
I hope this is helpful to others!
-
I have actually tinkered with this myself recently, and ultimately implemented the following, which turns out to be working very well.
My objective was also to catch and redirect all DNS queries towards pi-hole, which in return uses OPNsense as Unbound DNS resolver.
Course of action:
First, I created a new VLAN dedicated for my pi-hole. This is not required, but I decided to do so because of security considerations. The VLAN is firewalled, is not allowed to pass traffic to any other VLAN, and is only allowed to use TCP/UDP 53 outbound to ANY (as I am querying the root servers directly using Unbound) for DNS, and using HTTP/HTTPS to connect to the internet, to fetch updates.
Then I installed pi-hole, and selected the interface IP of the pi-hole VLAN as upstream DNS server.
That way, pi-hole will filter ads, but uses Unbound on OPNsense to do the actual lookup.
You could also install Unbound on the pi-hole itself and offload everything there, but I decided not to do so.
I then fine-tuned everything to my needs (blocklists, black/whitelisting, etc.), and considered that part done.
Next, I wanted to be sure that all DNS queries are sent to the pi-hole, for my VLANs I have setup.
For that, I used a NAT Port Forward rule, which is configured as follows: https://imgur.com/NzJUFPG
Details of this rule are:
- Interface - select your required interfaces to which this rule applies
- TCP/IP version - IPv4
- Protocol - TCP/UDP
- Source - do not select
- Destination/Invert - do not check
- Destination - Any
- Destination port range - DNS
- Redirect target IP - Your pi-hole IP address (I created an alias for it)
- Redirect target port - DNS
- Pool Options: Default
- Description - Redirect and pass DNS
- NAT reflection - Disable
- Filter rule association - Pass (I decided to choose pass, as this will reduce the amount of separate pass rules you need to create per interface)
I have also created an identical second rule, that is disabled, with the only difference that it contains the local loopback (127.0.0.1) address as Redirect Target IP, which is the firewall itself. This is a method of last resort, in case the pi-hole breaks down, or is unavailable for whatever reason.
I simply switch on this NAT rule and disable the other one, and remain up and running.
You need to be aware though that in case this is applied, advertisements are no longer blocked, unless you utilize the Unbound built-in blacklisting capabilities (Services > Unbound DNS > Blacklist). For peace of mind you could simply enable a fallback blacklist there, but I didn't care at this point in time. Perhaps some point of improvement towards the future :).
Last, but not least, let's test this out in practice, by going to https://dnsleaktest.com/. If all goes well, and you have applied the setup like I have depicted, you will see the WAN IP of your ISP there. If you have selected different DNS upstream servers, you will see these appearing here. Simply change the DNS server on one of your LAN devices, and run the test again to see if the redirection works.
I hope this is helpful to others!
Not working for me... when I enable this rule I loose the connection, unable to navigate.
-
My spouse and I work from home and are both on calls at night fairly often, and kids are school-from-home, so I have had very few opportunities to mess with the router. I'll have some opportunities over the weekend and will try a couple of these approaches. I'll try mg82's cute NAT+ VLAN-based approach and AhnHEL's purely NAT-based one.
I think I understand both approaches, except for one thing in ahnHEL's. Why does that approach need global auto NAT reflection? I think that is a workaround because of this part:
3. Go to Firewall/Rules/LAN and create a firewall rule to PASS from your PiHole to the LAN ADDRESS on port 53 and place it below the above Associated Filter Rule.
PROTO SOURCE PORT DESTINATION PORT
> TCP/UDP PIHOLE IP ANY LAN ADDRESS 53(DNS)
I think the "below" is a mistake, and the rule will never actually fire because any port 53 traffic from the pihole to another LAN IP (as it is trying to respond to a DNS query) will get blocked by the the rule above it outlined in step 2:
2. Go to Firewall/NAT/Port Forward and setup rule like below.
INT PROTO SOURCE PORT DESTINATION PORT NAT IP NAT PORT
<-> LAN TCP/UDP ANY ANY !LAN ADDRESS 53(DNS) (PIHOLE IP) 53(DNS)
172.16.1.5
Be sure to create the Associated Filter Rule with the above Port Forward and place it at the top of your LAN Rules.
You probably want to "PASS" DNS traffic going from the pihole to any valid interface including the router itself or even directly to the WAN gateway if your pihole is exclusively managing DNS for your networks. You want to pass port 53 to LAN or LAN/WAN before it hits that NAT rule, right? In that case:
> TCP/UDP PIHOLE IP ANY LAN ADDRESS 53(DNS)
needs to be ABOVE:
<-> LAN TCP/UDP ANY ANY !LAN ADDRESS 53(DNS) (PIHOLE IP) 53(DNS)
right?
Then you won't need to set up a global NAT Reflection that affects all of your NAT rules, and not just this one.
I may be off base with this - thoughts?
-
i did the same as mg82, created a vlan pure for pi-hole.
those vlans cant talk to each other, only the redirect allow dns traffic to pihole: (see attachment)
then a create under NAT: port forward, for every interface that need to use pi-hole a rule (see attachment)
The rule it self is elso in the attachment.
i didn't touch anything in NAT and DHCP, those are Default.
Pi-hole itself use unbound.
-
i did the same as mg82, created a vlan pure for pi-hole.
those vlans cant talk to each other, only the redirect allow dns traffic to pihole: (see attachment)
then a create under NAT: port forward, for every interface that need to use pi-hole a rule (see attachment)
The rule it self is elso in the attachment.
i didn't touch anything in NAT and DHCP, those are Default.
Pi-hole itself use unbound.
Thank you! Do you have destination/invert checked for the port 53 redirect NAT rules? You are explicitly blocking all traffic from the pihole to the LANs with no exceptions, so I assume that the NAT destination/invert rule takes care of that and that it is is higher up in the order that the rules get processed. Otherwise, I can't see how the clients get their DNS responses back.
Did I get that right?
-
I have this working with 20.1.9_1, followed the steps listed below:
https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/
-
Thank you! Do you have destination/invert checked for the port 53 redirect NAT rules? You are explicitly blocking all traffic from the pihole to the LANs with no exceptions, so I assume that the NAT destination/invert rule takes care of that and that it is is higher up in the order that the rules get processed. Otherwise, I can't see how the clients get their DNS responses back.
Did I get that right?
if you checked the attachment you did see that sources/invert and destination/invert are checked ;)
Not only pi-hole vlan can't talk to other interfaces, they also can't talk to pi-hole (expect "lan" this use the default "allow to all" rule)
if i disable this rule, no one can access Pihole dns (expect "lan")
see under this message a attachment of the firewall rules from "Guest Lan":
-
I have this working with 20.1.9_1, followed the steps listed below:
https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/
Most of the guides on the internet, such as the one you are linking to, are blocking Dns queries from clients that try to get around the pihole. We're redirecting the dns queries to the pihole via NAT.
-
I have this working with 20.1.9_1, followed the steps listed below:
https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/
I probably need to update this